Expert advice on cybersecurity, cybersafety and cybercrime. Using real incidents, I explain why cyber risks occur, what form they take, and how they affect cybercitizens as individuals, employees, citizens and parents. Opinions expressed in this blog represent my personal views

Pages

Tuesday, September 30, 2014

The last few
days saw frenzied remediation of a critical vulnerability called Shell
Shock which allows a hacker to fire remote privileged commands to UNIX servers.
UNIX is an integral part of the core Internet infrastructure, and BASH (the
shell which is vulnerable) is a well-used program. The program has been in use
for the last thirty years before the flaw was recently uncovered.

A remote
compromise simply means that websites, cloud services and internal datacenters
are all vulnerable to cyber-attack either from malicious insiders or if
accessible remotely, from cybercriminal across the globe. Such attacks result
in data theft, downtime and outright wiping of data from these servers. Given
the nature of BASH, there is the fearful possibility of automated exploitation
of the vulnerability using a small piece of mobile code called “worms” which travels
over the network infecting servers.

The good news
for most cybercitizens using the Windows operating system is that it is not
affected and therefore home networks which use Windows based laptops and
desktops are relatively safe. Apple has released a patch for the Bash
vulnerability for its OS X Lion, Mountain Lion and Mavericks software. Mac users are advised download
the Bash update and patch their systems. Apple had earlier advised that OS X,
systems are safe by default and not exposed to remote exploits of bash unless
users configure advanced UNIX services.The bad news is that most online
services are built on UNIX and unless they are patched quickly a potential
breach would affect a cybercitizens security and privacy.

Most of the
large service providers will take quick steps to assess their vulnerability and
ensure remediation with available patches and other countermeasures.This should reduce the risk to most of the
services cybercitizens commonly use. Cybercriminals will attempt to exploit the
time to remediate by targeting vulnerable and financially lucrative systems. Therefore
for system administrators and security professionals it is literally a race
against time. For cybercitizens, who own Apple Mac’s the patch should be quickly
installed.

There are multiple
core vulnerabilities yet undiscovered or undisclosed, which in future will have
an overriding effect on the resiliency of the networks and services that form
the Internet. These exist due to the difficulty in security testing products,
assumptions on the secure nature of mature products and as we are all well
aware, due to governmental action which requires pre-installed backdoors or
weakened security defenses :- such as in the case of data encryption.

Cybercitizens
should be aware that core vulnerabilities are a lurking problem that may surface
as targeted attacks on large companies at any point in time, and will most
certainly be used during a proxy or cyberwar. Governments today, maintain a war
chest of similar vulnerabilities.

The only tip
that I could possible offer is to keep an offline copy of the data or
transactions stored online. Paper back-up of critical documents may seem
archaic but seems to be a good idea.

Sunday, September 28, 2014

Mid 2013, the
Indian government in its Nation Cyber Security Policy outlined the need for
India to create half a million security professionals to protect and assure its
digital assets.A policy focus of this
magnitude necessitates the introduction of cybersecurity postgraduate programs
in India’s higher education system and a larger fund outlay to promote academic
research in security. On the cards are
venture funds to aid entrepreneurs invest in the local manufacture of indigenous
telecom and security products, in an attempt to try and tap Indian IT talent to
create a new industry sector.

While the economic
need for security professionals to protect a strong and vibrant economy is a
reality, with 1.2 billion Indian’s online we face a much larger social
challenge to minimize security risk and instill ethical use. Citizens
will engage in online social activities like games and social media, e-governance,
personal communication, ecommerce and much more.A digital India will comprise at least 5
billion individual owned digital assets online – now called the Internet of Everything
– these include Internet connected refrigerators, microwaves, thermostats, net
nannies, cars, wearables, health device and so on. All which are to be secured
by each cybercitizen on their own.

State
intervention in personal online security will be a daunting task. Today we face
challenges in drafting legislation and in gearing up the law enforcement and
judicial system to deal with infringements. Training of the Indian judiciary
and law enforcement is itself a huge challenge. The numbers are at the minimum
a 1,00,000 policemen and judges to provide the very basic investigation and
forensic assistance at every police station and court house.

The greatest
risk to a large citizen owned digital asset base is twofold. The first is the
exploitation of unprotected or inadequately protected assets by cyber
criminals. Compromised assets are used to steal money from cybercitizens
themselves as well as a staging point to launch attacks on others. The second and more importantly are the
security issues introduced by the non-ethical and unsafe use of social media
and technology by young Indians.

There is no
doubt, a young India will immensely benefit from the opportunities that
cyberspace brings and that we should gear up to openly embrace its spread and
use. But, at the same time we need to instill in every Indian a culture of
cyber ethics using traditional Indian values and the ability to protect
themselves online. Online, as there is no attribution, no valid authenticity to
digital content and crime being global, the opportunity for manipulation by
exposure to content such as pornography, radical ideologies, divisive political
elements and advertisement is immense.

Cybercitizens
themselves, and not politicians will have to shape the future of this new world.
A world which at minimum requires every school to have cyber-safety and ethics
courses as part of their curriculum. A few awareness lectures will not suffice.
We need to instill deep values in our children. More importantly given the divide
between parents who grapple to use the Internet and their children who are
digital adepts, attention has to be paid to the cyber safety education that
parents receive to help them guide and be good role models to their children. Unfortunately
there have been many cases where adults set a bad example themselves through
their online comments and actions. For parents wanting to understand the basic of cyber risks and their prevention faced by children, please read my short awareness course titled "Keeping your child safe online".

The Internet
of the future will be all pervasive and bring in opportunities for children of
all ages. Let us not fritter it away by not preparing our children to use it
safely, securely and without fear.

Saturday, September 27, 2014

To make an
online credit card purchase cybercriminals must have knowledge of the
information on the front and back of the credit card, namely expiry date,
cardholders name and CVV number. Online, it does not matter whether the credit
card used the stronger chip and pin technology or the old fashioned magnetic
stripe as the physical card is not needed.

Credit card
information is a highly perishable asset in the underground market whose value
is largely determined by its validity, and enhanced if additional information
such as the owners buying behavior and home location is known.Stolen credit card data is sold in batches
using dedicated websites or forums to criminal outfits which either resells
them in smaller batches -, much like a retail supply chain comprising of
producers, distributors and resellers. At each stage the buyer may resell the
same information multiple times. With time the value of the cards drop as the
percentage of non-valid cards in a batch increase. To validate if a card is
active; criminals use a process called “carding”. Carders will take a batch of
stolen credit cards and attempt to use them to make small low-value purchases
to verify the card works.

The continued
spate of data breaches is a clear indication of the thriving market for credit
card information. Once stolen, criminals normally are in a race for time to
extract as much money as possible, usually within the first few weeks of a
breach.They exploit two time windows;
the first between the actual theft and the victimized company notifying its
affected customers and the second is the time taken by a notified card owner to
deactivate it. The entire window of exposure from theft to card deactivation
can range from between a few weeks to months. Data breaches are just one of the
ways by which thieves get hold of credit card details; information could be
obtained from normal use at stores, hotels, copies we make for visa’s
applications and so on.

To facilitate a more secure online experience credit card companies have
instituted an additional authentication measures called 3D Secure which
requires a user to enter a preregistered secret code.Unfortunately, getting past this additional
authentication mechanism is not difficult as the cybercriminal could easily
guess the code; reset it with publicly available information such as the credit
card holder date of birth and mother’s name or as in most cases phish the
information.Very recently, the system
seems to have been made more secure using a One Time Password sent directly to
a mobile phone instead of having to enter a passcode. One lacuna is lack of an
alert if an incorrect password was entered, which would indicate a criminals
attempt to use the card online. While the OTP system is much more secure it can
be compromised if your phone becomes infected with sophisticated malware
designed to pass on such SMS’s to cybercriminals, but it will negate the value
of bulk stolen data in underground markets.

The best way
to protect against fraudulent losses is to maintain vigilance of transactions
made and to swiftly block the card the moment a fraudulent transaction occurs.
In India, credit card companies send a SMS alert to the card owner each time a
transaction is made. If that fails, the next option is to scan the monthly
credit card statement. Quick deactivation of the card helps to curb losses and
to claim insurance.

Choose a
credit card where there are few caveats and hassles to claim a refund for
fraudulent transaction is a good idea. When signing up for a card, it is always
a good idea to find out what the fine print reads when claiming a refund.Most of these come with caveats, for example
the value of the insurance, valid time to make a claim, in some cases the
refund is applicable only if the fraudulent transaction is reported within 24
hours or if the card was previously reported as stolen.Insurance payouts may be higher if
transaction used 3DSecure authentication and some insurance companies may allow
you to claim within 15 days of receiving your credit card statement. Most
require that a police complaint is filed.

While the
main intention behind this article was on online fraudulent purchases, in
countries which still use magnetic strip cards, the stolen data is used to
clone cards which are then used to make in store purchases. Chip and pin users
are safer as the technology is difficult to clone. In many countries no alert
is issued through SMS. If you are aware that your card was stolen, then report
it immediately. The other advice remains the same as in online frauds.

Monday, September 22, 2014

Compromise of
authentication credentials to gain access to online services is the weak
link most often exploited by cybercriminals and casual hackers. Empowered with
the genuine authentication codes the cyber intruder usually abuses the stolen
identities to earn money through money transfers from Internet Banking accounts,
online buying and selling, or cashing gaming points. The casual hacker is usually
known to the account owner and hacks for fun or for revenge planting fake posts
on social network sites, viewing personal pictures or reading personal emails.

Authentication
Credentials are exploited in fours ways:

Passwords that are simple are easy to guess or crack using tools by cyber criminals. The secret questions used to reclaim a forgotten password in many cases are easier to guess than the password itself. If these passwords were reused on other more important sites, the cybercriminal gains access to those services too. To avoid, these types of attacks, cybercitizens should use strong passwords and difficult to guess secret questions and not reuse them.

In large data breaches the entire password database was stolen by the misuse of privileged access rights by trusted insiders, compromised administrative authentication codes or via an application flaw. In this way the cyber intruder obtains a large bulk of passwords which are used to compromise accounts on the affected services as well as on other services where the password may have been reused. To avoid these types of attacks, cybercitizens should regularly change their passwords, not reuse them and if notified about a breach immediately change the password.

Sophisticated malware that has been unintentionally downloaded as part of free software or during a visit to malware infected sites helps steal authentication credentials from user devices.Such malware intercepts user credentials when the user logons to online services. Sophisticated malware besides stealing authentication credentials can intercept one time passwords sent from financial sites via sms, which when used in conjunction with spoofed sites are highly effective in compromising a user’s financial transactions. Cybercitizens should install a reliable antimalware product that blocks malicious sites and filters malware. Though not foolproof, it helps reduce the risk. To avoid spoofed sites, it is best to check the ownership and validity of the SSL certificate by clicking on the padlock in the address field of the browser.

Passwords, in many instances are naively handed over to cybercriminals impersonating law enforcement officers, bank officials or even as IT support. Cybercitizens are tricked into believing that these requests to share passwords come from genuine and authoritative sources. To avoid such types of attacks cybercitizens should never share their passwords, as no organization will ever ask for them by phone or mail.

Saturday, September 20, 2014

It is quite
well known that except for a very few countries that allow it, in most others
the creation, distribution and consumption of pornographic content is not
permissible. Actually, it is illegal and usually punishable with a prison
sentence. Governments which allow porn, benefit from the 100 billion dollar or
more Internet pornographic industry.

Today, the
concept of soft porn which raged in the eighties no longer exists; it has been
replaced by what we call sensual advertising. What is easily available on the
Internet is hard porn showing erotic fantasies and sometimes violent or abusive
sexual acts. Most of the pornographic sites do not even have the mandatory age
notification and directly host hard porn on their home page. The ill effects of
pornographic content on impressionable young children, starting from as early an
age of eleven, are well known. Normal relationships and sexual acts are redefined,
and as a consequence unnatural sex such as anal sex is on the rise. It is a documented statistic that such acts reshape
the perception of women in society and have led to a rise in cases of sexual
misconduct and violence.

Mobile phones
and fast internet connections are making it easier for children to consume porn
at odd hours, in schools and colleges and everywhere else. Entrepreneurial
shopkeepers in India have seized on a business opportunity to sell preloaded
memory cards with downloaded pornographic content to their customers who do not
have an Internet connection. Instant messaging apps have made it easier to
sext- sending nude or seminude selfies to partners. In many countries a nude
selfie would actually contravene the law and one taken by an underage child
would invoke the harsher penalty of child pornography.

Most
companies rely on content filtering technologies and strict penalties to block
pornographic sites. They are quite successful in blocking porn use with the
added benefit of limiting exposure to malware that is normally found on
illegitimate sites. Similar technologies, though not fool proof, can block
the casual user from stumbling on pornographic material. Most countries have already
mandated their telecom service providers to install technology to filter
Internet sites based on court or government directives, as it is difficult to
shut down sites hosted on Internet servers in other countries. True, these
filters can be bypassed by proxies and there is the difficulty of pinning down
the addresses of fast moving illegal pornographic sites but it would still
restrict usage. Porn censorship will certainly limit the use of pornography,
much in the away that prohibition cuts down alcohol consumption, though it
still remains available through a thriving black market.

Personally, I
believe the big reason why governments fail to censor is because of the assumed effect on their vote bank. Young voters in the digital age consider paramount their
“freedom of expression online”. In reality, most of these digital citizens are
themselves concerned as to the ill effects of pornography and would endorse any
attempt to filter these sites, provided the decisions to filter are made
transparently.

Wednesday, September 17, 2014

Militants from
Islamic State (Isis) are so dependent on broadcast sites like Twitter that they
recently threatened to kill Twitter employees if they continue to shut down
their accounts used for propaganda. The group use hashtags of major
events such as the World Cup to disseminate pro-Isis content, in addition to
using various Isis-specific hashtags. Hashtags such as #WorldCup2014 allow
Twitter users to easily search for related content.

As
cybercitizens increasingly use closed group instant messaging channels like
WhatsApp for their private conversations, twitter still remains a favorite
public broadcast medium for extremist groups who propound their ideology to
gain more recruits or to establish legitimacy, politicians who generate hate
campaigns to polarize and gain votes, and individuals who deliberately write sensational
comments to draw attention to themselves.

The ability
of Twitter to police rogue usage is minimal. Many times their posts fall in “grey”
areas of offensive versus inoffensive content, making it difficult to moderate.
In most cases, deletion or inactivation of accounts happens much after the
damage has occurred. This does not prevent the perpetrators from establishing
alternate or slightly different twitter id’s to resume their propaganda.Most of these rogue accounts cannot be acted
upon by law enforcement because those countries from where they operate
do not have effective law enforcement or they do not consider it a crime yet.

Inciteful posts
have high impact, and are often unsubstantiated. Being public broadcasts they
rapidly go viral and reach a large global audience. Posts such as those sent by
ISIS have been effective in influencing youngster to join their ranks from across
the world. Youngsters, taken up by these messages sign up for a cause from
which there is no return even when the harsher realization dawns.

Governments, have
an active interest to not bar these tweets, as they form a rich source of real-time
information, in many ways more useful than covert intelligence. Sympathizers in
countries with effective law enforcement may put themselves into trouble, if they
draw attention through retweet or likes. Of late, governments have attempted to spread counter
messages to negate the effect of these broadcasts.

Monday, September 15, 2014

It takes shocking
incidents to bring to fore what is a rapidly growing problem with children; a
predisposition to the excessive use of the Internet while avoiding studies,
social interactions and physical activity. Recently in the Indian city of Pune,
a 15-year-old student addicted to the Internet turned violent and tried to
attack his teacher mother with a kitchen knife when she tried to take away his
smartphone. The student spent hours on different messaging platforms and had
around 500 friends, most of whom he had never met in person.He even borrowed money from nearby
shopkeepers to recharge his mobile. The boy was so addicted that after being
taken for counselling he stripped naked in protest at the hospital and threatened
to harm himself if his net access was taken away.

Online
chatting offers children a way to escape emotional problems and they start to
think that these online friends care for them more than their parents. Imagine
the confusion last week in another part of India, when a twenty year old
decided that an elderly nurse he met on Facebook was his “mother” and wanted to
swap his real parents for her. The Facebook mom landed up at her “son’s” door,
to add to the confusion of his parents, where he clasped her hand and expressed
a desire to go with her.

According to
Indian psychologists and child counsellors there is a 40 per cent year-on-year
rise in the number of Internet addicts aged between 8 and 18, driven by the
easy access to technology, peer pressure and messaging apps.

The most
common form of Internet addictions are cybersex, online gaming, and
cyber-relationships.

Cybersex is the compulsive use of Internet pornography and adult chat rooms.

Cyber-Relationship addiction is an addiction to social networking, chat rooms, texting, and messaging.

To find out is your child is
vulnerable to Internet addiction, watch for these behavioral changes:

Becomes irritable or agitated when time online is interrupted. In the case of the Pune student he turned violent, threatened to harm himself and even stripped naked.

Withdrawal from activities that involve socialization with real people. Most addicts isolate themselves from people and spend most of their time with virtual friends

Spends a lot of time online at all or odd hours. Addicts constantly message driven by the urge to respond to their online constituency instantly. They carry their phone everywhere even to the toilet.

The only way
to prevent such situations is to build an open relationship with your child, while
limiting technology use, constantly watching for signs on addiction and to the
extent possible supervising online behavior.At the outset, set the rules of Internet use clearly distinguishing
between productive Internet use for homework and nonproductive use such as
social networking. Timely intervention could help prevent and reduce cases of
Internet addiction

Friday, September 12, 2014

It was a great
delight to speak at theTenth Edition of i5 Talks on “Building a
cyber-resilient & secure cyber space for industry and cyber citizens
" organized by Tech Mahindra.The talks brought together insightful perspectives from the leading
lights of the Indian security industry in vibrant talks and panel discussions.
Speakers included eminent CISO’s, entrepreneurs, researchers, bloggers, consultants
and hackers. I spoke on
the three big risks to cyber security and resilience. The first was, what
happens to a nation if the power grid is shot down by cyber-attacks and fails
for long durations, the second demonstrated how exposed cyber citizens are due
to the ubiquitous and seamless use of cloud storage and thirdly, the high level
of organizational skill and investment, cyber criminals put in to commit high
value cybercrime on financial institutions. A short summary of the speakers and
their takeaways are:

Aseem Jhakar -Director , Payatu Technologies

Lack of communication between the hacker community and the industry is a big problem. Hackers are seem as untouchables except when they are needed he most

Bug bounty trends are increasing and rewards are sufficient to sustain a hacker’s income

Industry has maligned the word “hacker”. Today, the word and community is associated with criminals.

Vishal Salvi Chief
Information Security Officer, HDFC

Companies need to transform and build a new security architecture to meet new and emerging threats

Industry competitors need to collaborate to build secure supply chains to ensure that common suppliers do not skip investing in security

Agile security should be the new paradigm. The current models of reacting to incidents or building defense in depth is too slow to combat the spate of attacks

Security is today beyond CIA and assets – looks towards the business

Keith Prabhu,
Chairman, Cloud Security Alliance, Mumbai chapter

We need to brave the risks of using the cloud by using secure technology. We cannot go back to the bullock cart age because cars today are unsafe

It is a matter of time before we see the first big attack on a cloud provider. They are a big target that cybercriminals cannot ignore

The case of a refrigerator sending spam, is simply the tip of the iceberg as far as the Internet of things is concerned

Dr Zia Saquib, ED
CDAC

The Indian Government is researching on the use of alternate protocols to IP for setting up our secure critical infrastructure like nuclear stations

The Indian Government has allocated large funds to the enhancement of IT and security

Shomiron Dasgupta,
founder NetMonastery

Entrepreneurship is difficult and needs perseverance

Signal protection will be the next security wave

LS Subramaniam CEO
NISE and Blogger

Consumer education is a must to thwart cloud risks as they are easy prey for social engineering attacks

Monday, September 8, 2014

For those who missed attending Cloudsec 2014 at Mumbai, CNBC TV 18 has
put out a 30 minute condensed version with the main messages on Youtube. Cloudsec 2014 brought in expert perspectives
on the security of cloud services and the fast growing Internet of Everything

There was
public outcry when the Los Angeles artist XVALA, nee Jeff Hamilton announced last
week that his upcoming exhibition titled “No Delete” would include the recently
leaked nude private images of Jennifer Lawrence and Kate Upton.

Lifesize and
uncensored, Avala’s campaign called “Fear Google” as part of the ongoing
privacy debate to protest over how large online businesses and search engines
have turned an individual’s privacy into everybody’s business. AVALA’s earlier
exhibitions had featured celebrity images, including a portrait of Britney
Spears with her shaved head and nude images of Scarlett Johansson (at that time
with the private parts covered with “Fear Google” logos). Early last year, he
melted down trash collected from Jobs' home to build a sculpture of the Mac
creator, complete with iPhone in hand, to demonstrate that individuals are “giving
out all our information to the Internet just as we give our trash to the
world." Besides Job’s, he targeted other leading figures like Mark
Zuckerberg. His projects titled the "Not Very Well Hung Hangers Of Silicon
Valley," was to build items from the personal belongings of people
whose companies profit from the collection of our data.

XVALA used
GOOGLE to find the addresses of Internet leading lights, and to mine for the compromised
images either inadvertently posted or leaked by paparazzi or hackers.

He rightly
states that once we share our images with technology our privacy is at stake. The
tradeoff between free online services and privacy is raging and in the next few
years, judging by the way the industry is moving there will be better privacy
protection for users both paid and unpaid of online services. But, till them we
all remain at risk.

Most of us
have read or heard that on many online anonymous bulletin boards, were posted
over 100 nude photographs of prominent celebrities like Jennifer Lawrence and
Kate Upton. These celebrities had two things in common; firstly they used Apple
iCloud to back up their store of photographs and secondly, many had deleted the
published pictures one or two years prior.

Obviously, nude
pictures or videos of celebrities are worth a lot of money to collectors who
bought and sold these pictures on underground forums. Hackers targeted celebrity
accounts for these pictures because of their high demand in the underground
markets.Reports suggested that hackers
compromised iCloud accounts by either guessing the account password or the answer
to the secret question, and probably held on to this access for several years
because the account owner never changed the password or the answer to the
secret question. iCloud’s password
protection services during this period lacked basic security features such as
alerts on backups or one time authentication passwords which would have
prevented this type of known attacks. In the near future, we may see an
enriched set of security features such as one time authentication.

Nude photographs
of celebrities certainly made hot news and sparked universal outrage, security awareness
and a FBI hunt for these hackers. Yet, online sites such as the bulletin boards
which notoriously benefited before they self-censored under the threat of legal
action, have gone scot free.

Once online
and public, these photographs besides finding their way into the hands of many
individuals, have found home in several interesting places such as pornographic
sites and even to an upcoming art event called “No Delete” in Los Angeles which
will print onto life-sized canvas the leaked private images of Jennifer
Lawrence and Kate Upton.

While we
dwell on the sensational and juicy fallout of these nude revelations, all cybercitizens
particularly those that sext should pause and reflect. Surely, it could have
been your photo that is on one of these sub groups, porn sites, revenge site or
circulating among peer to peer networks among your partners friends. Like
collectors, partners may over a drink share or compare pictures in competition
or conquest. To protect one self, reflect on the potential fallout when you
create, transmit or store sensitive personal information that may be used
against you by third parties that get their hands on it or when relationships
sour. Would you regret a nude picture taken five years ago that suddenly
appeared when you are happily in a relationship or be able to laugh it off? –
Do ask yourself?

To find out
what one must do to secure your password and be aware of cyber risks to
personal privacy, do download and read my book “StaySafe CyberCitizen”

Saturday, September 6, 2014

I was
delighted to have conducted my first tutorial for parents on "How to keep
children safe online" on Teachers Day, 5th Sept. It was a proud moment and
I was able to receive feedback from enthusiastic parents on how to improve the
material. The audience was very touched and emotional as I showed them the
video on Amanda Todd
and explained to them what happened to her. For many she remains a teacher and
a hope. The tutorial description is given below and for those interested; the
training content “Keeping
your child safe online” is available to download.

Cybersecurity Awareness for Parents

Is your child
safe while using the Internet is a nagging question that all parents seek to
answer? While parents are convinced that the every child must know how to use
the Internet, most are unaware of the extent of cyber risk and the
vulnerability of their children to them. Cyber-criminals will continue to reach
your child in the confines of your homes, schools and in crowded places.
Threats cannot be wished away, left to others or simply ignored. We need to
assess such threats, take prudent steps and use best practices to reduce their
danger.

Parents who
are digital immigrants as compared to children, who are digital natives adept
at navigating the bylanes of the Internet, find themselves at odds to guide and
mentor their children on their online behavior. The session Keep Your Child
Safe Online exposes parents to real life cyber risks and provides guidelines to
identify vulnerable children and steps to protect their children from cyber
risks.

Spend two
hours in a frank, open and interactive guided session with cyber expert Lucius
Lobo, author of the book “Stay Safe CyberCitizen” to understand the dark
secrets behind the Internet and simple steps to protect your family.

South Korea
is a perfect example of a soon to be interconnected world where all its
citizens have high speed broadband, regularly access online ecommerce and
e-governance services and where online activities like games form a major part
of social interactions. Large scale online services centralize the aggregation
of user credentials such as email ids and passwords, making these online stores
a juicy target for cybercriminals and offensive nation state actors.

Cyber
criminals who obtain possession of these caches of personal data sell it to
organized gangs which specialize in email frauds or who withdraw small sums
from the online balance in gaming and other financial accounts. Nation state
actors may use these credentials to disrupt vital economic operations by
shutting down or altering the integrity of operation of financial system or
utilities.

Not only are
these credentials hacked through the exploitation of online vulnerabilities and
poor system security design, but they are breached by trusted insiders with
privileged access who steal and sell it for a fee.

Four major
incidents, in South Korea, all in the last year where almost 50% of the
credentials of the nation’s population were stolen, highlighted the impact and
ease of exploitation of these online stores. According to press reports:

·A
group of hacker’s successfully compromised 220 million records of 27 million
people from online gaming sites

·Hackers
broke into the popular Nate and Cyworld websites extricating names, email
addresses, phone numbers and resident registration numbers of 35 million users.

·Regulators
fined three credit card companies after 20 million residents had their data
stolen by an IT contractor.

·12
million names, resident registration numbers and bank account details stolen
from telecom company KT Corp were being investigated by the government.

These
incidents will not remain isolated to South Korea but will happen across the
world, as in-country online services proliferate.

Email
addresses are no longer secret; they are freely given away by people on
business cards, survey forms or even to solicit advertising mails. These emails
have been aggregated and compiled into large databases which are sold globally
for a small fee. There are also programs which trawl the net searching
specifically for email addresses. Given the scale of data breaches or
aggregation of email information, every cybercitizen should consider their
email to be in the hand of atleast one organized cybercriminal ring.

Given, this
assumption one should expect to be a target of an email scams or deliberate
attacks to steal banking credentials or to install malware that will later be
used to steal banking credentials and personal data. To minimize the impact of
such adverse fallouts cybercitizens must ensure that they do not use the same
password on multiple systems and use unique passwords for key banking and other
services that can affect their wallet or reputation. Frequently changing
passwords reduces the window of exposure and consequently losses. The other
important consideration is to keep an eye on email scams. To know more do read
“Online Email Scams a multibillion dollar business or not? You decide”.

To prevent
malware, ensure that you do not log onto your computer with administrative
rights when using the Internet. Create another profile without administrative
rights for Internet use.

Awards

About Me

Security author and passionate blogger @LuciusonSecurity writing on risks that affect Internet users such as cyber crime, defamation, impersonation, privacy and security. Working hard to reduce cyber risks to some of the world's largest businesses. Find me on Twitter @luciuslobo or Linkedin at http://in.linkedin.com/in/luciuslobo